1. Field of the Invention
The present invention relates to a method for detecting an improper removal of electronic equipment that deals with confidential data.
2. Description of Related Art
In operation of electronic equipment such as a card reader, confidential data (such as key data to be used for encryption operations) is saved in a volatile memory backed up by a secondary power supply. Then, each time when it is required, the confidential data is read out from the volatile memory to a working memory for executing various processes. Since the confidential data is indispensable for execution of those various processes, usually the confidential data is saved in such a way as not to disappear. However, if any error condition such as an improper removal of electronic equipment is detected, the secondary power supply to the volatile memory as well as a power supply from a main power source are shut off, and eventually the confidential data is deleted.
In such an operation environment, the electronic equipment such as a card reader is installed in a cabinet of an operation terminal to be operated by users, for example, a terminal used at a gas station and the like. A maintenance operator, who carries out maintenance and tuning work for such electronic equipment installed at a site of the market, sometimes needs to remove the electronic equipment out of the cabinet of the operation terminal for users. Therefore, a function of deactivating removal detection is generally provided for preventing the confidential data from being deleted unnecessarily. After completion of maintenance and tuning work, the electronic equipment is installed again in the cabinet of the operation terminal for users described above, and then the removal detection function is activated.
For example, in the case of an entering/leaving management system disclosed in Japanese Unexamined Patent Application Publication No. 2005-148969 (JP 2005-148969), when an improper removal of a card reader is detected, a cryptographic key saved in the card reader is deleted. However, taking into consideration the maintenance work performance described above, a higher-level device of the card reader is provided with a maintenance switch. Then, as far as the maintenance switch is turned on, the cryptographic key is not deleted under the arrangement.
The above explanation is focused on deactivation and activation of the removal detection function at the time of maintenance work. However, even in a production stage of electronic equipment before installing the electronic equipment at an installation site of the market, a technique of deactivation and activation of the removal detection function is used for preventing the confidential data from being deleted under conditions where electronic equipment is removed from the cabinet of the operation terminal for users described above.
Unfortunately, the maintenance switch described in JP 2005-148969 may not sometimes have enough operability for maintenance and tuning work and the like. More specifically to describe, if the maintenance operator recklessly activates the removal detection function by mistake under conditions where the electronic equipment is not normally installed in the cabinet of the operation terminal for users described above, the removal of the electronic equipment is instantly detected so that the confidential data is deleted. Such deletion of the confidential data is one of fatal errors, and therefore since then mostly the error disables continuous normal operation. Under the condition, from a viewpoint of security, it is impossible to restore the electronic equipment then and there. As a result, the electronic equipment must be restored to an environment where the security is ensured, and namely it is deemed that the electronic equipment does not have enough operability.